Support conntrack module #872

haught · 2019-11-08T06:28:45Z

I would like to add more support for conntrack module options (http://ipset.netfilter.org/iptables-extensions.man.html). These changes do include modifying the existing ctstate option to use the module argument mapping so that the additional options can be added.

haught · 2019-11-09T15:20:41Z

I have found one oddity I have not figured out yet. If any of the port options are given as the first option:

firewall { '201 test rule':
    chain => 'DOCKER-USER',
    ctorigdstport => '80',
    action => 'drop',
}

I get the issue:

Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (7) count mismatch on line: -A DOCKER-USER -p tcp -m conntrack --ctorigdstport 80 -m comment --comment "201 test rule" -j DROP

But the rule created is correct and how I would expect it:

-A DOCKER-USER -p tcp -m conntrack --ctorigdstport 80 -m comment --comment "201 test rule" -j DROP

If I give any of the options that occur before the port ones in the rule (ctstate, ctproto, ctorigsrc, ctorigdst, ctreplsrc, ctrepldst), everything works. For example:

firewall { '201 test rule':
    chain => 'DOCKER-USER',
    ctproto => '6',
    ctorigdstport => '80',
    action => 'drop',
}

Is it maybe counting the ctorigdstport option twice, once for ctorigdstport and once for ctorigdst ? But only when first? It only occurs with ctorigsrcport, ctorigdstport, ctreplsrcport, ctrepldstport as the first option.

haught · 2019-11-12T16:09:48Z

I can get ctorigdst/ctorigdstport et al. working by adding whitespace to the end of the include? comparison in the module argument mapping. There should be a space after every iptables argument it is matching, and it makes it unique. It is not very elegant... is there a better way? It would apply to every module.

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index c1cba9d..98716f8 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -246,7 +246,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
             resource_map_new[argument][0] = "-m #{ipt_module} #{resource_map_original[argument].first}"
             break
           end
-        elsif compare.include?(resource_map_original[argument])
+        elsif compare.include?(resource_map_original[argument]+' ')
           resource_map_new[argument] = "-m #{ipt_module} #{resource_map_original[argument]}"
           break
         end

DavidS

Thanks a lot for your contribution, and happy holidays!

Support conntrack module

add conntrack module support

47af7d0

haught requested a review from a team as a code owner November 8, 2019 06:28

clean up whitespace and use single-quoted strings

c784bea

haught added 2 commits November 15, 2019 12:56

fix overlapping iptables arguments for modules

657a2b1

add spaces

e755bd5

DavidS approved these changes Dec 19, 2019

View reviewed changes

DavidS merged commit 5aaedbf into puppetlabs:master Dec 19, 2019

DavidS added the feature label Dec 19, 2019

DavidS mentioned this pull request Dec 19, 2019

Support ctdir #830

Closed

camilo-schoeningh-sociomantic pushed a commit to mohammed-elhakim-sociomantic/puppetlabs-firewall that referenced this pull request Jan 10, 2020

Merge pull request puppetlabs#872 from haught/conntrack_module

08ada90

Support conntrack module

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support conntrack module #872

Support conntrack module #872

haught commented Nov 8, 2019

haught commented Nov 9, 2019

haught commented Nov 12, 2019

DavidS left a comment

Support conntrack module #872

Support conntrack module #872

Conversation

haught commented Nov 8, 2019

haught commented Nov 9, 2019

haught commented Nov 12, 2019

DavidS left a comment

Choose a reason for hiding this comment